Skip to main content
Skip to content
Make It Compound
← Make It Compound

Privacy Policy

Last updated: May 29, 2026

1. Introduction

Welcome to Make It Compound. We are a financial coaching and education business helping middle-income families take control of their money and build lasting wealth. This Privacy Policy explains how we collect, use, and protect information about you when you visit makeitcompound.com, use our client portal, or interact with our services.

This policy covers three surfaces:

  • The public marketing website (makeitcompound.com).
  • Compound — our consumer budgeting app at /app.
  • Compound for Coaches — our B2B platform at /coach, through which subscribed financial coaches can view their connected clients' budgets to provide coaching support.

Where practices differ between surfaces, we note that clearly. Section 11 below covers Compound for Coaches specifically — the coach←→client data relationship, what coaches can and cannot see, and how clients control that access.

If you have questions about this policy, you can reach us at hello@makeitcompound.com.

2. Information We Collect

Information You Give Us — Public Site

We collect information you voluntarily provide when you:

  • Subscribe to our newsletter — We collect your email address and, optionally, your first name.
  • Book a coaching call — When you schedule through Calendly, you provide your name, email address, and any information you choose to share in the booking form.
  • Send us an email — We collect the content of your message and your email address.

Information You Give Us — Client Portal

Coaching clients who access the client portal may provide and store additional financial information, including:

  • Account information — Bank account names, last-four digits of account numbers, account type, and account balances that you enter manually or that are imported via Plaid (see Section 5).
  • Transaction data — Financial transactions imported via bank connection or uploaded by CSV, including merchant names, amounts, and dates.
  • Budget and goal data — Monthly spending limits, savings goals, debt balances, and progress toward financial targets that you enter manually.
  • Profile information — Your name, household size, and estimated monthly income that you provide during onboarding.

Information Collected Automatically

When you visit our site, we and our service providers may automatically collect:

  • IP address and approximate geographic location
  • Browser type and version
  • Pages visited, time spent on each page, and navigation paths
  • Referring website or search terms that brought you here
  • Device type and operating system

This information is collected via Google Analytics and Cloudflare Web Analytics. Cloudflare Web Analytics is privacy-friendly and does not use cookies or track individuals across sites. Google Analytics may use cookies — see the Cookies section below. Analytics tracking is limited to the public marketing site and does not apply inside the client portal.

Cookies

We use a small number of cookies to make the site work properly and to understand how visitors use it. Google Analytics sets cookies to distinguish users and track sessions. The client portal uses cookies managed by Supabase solely for authentication and session management — these are strictly necessary and contain no financial data. You can control cookies through your browser settings. For a full list, see our Cookie Policy.

3. How We Use Your Information

We use the information we collect to:

  • Send our email newsletter with financial tips and updates (ConvertKit)
  • Respond to your questions and inquiries
  • Operate, maintain, and improve our services
  • Client portal only: Power your personal financial dashboard — displaying account balances, transactions, budgets, goals, and financial health analytics visible only to you and your coach.
  • Client portal only: Allow your coach to view and annotate your financial picture to provide personalized coaching guidance.

We never sell your personal data — including financial data — to third parties. We do not share your information with advertisers or data brokers.

4. How We Store and Protect Your Data

Your data is stored across two platforms, each chosen for a specific purpose:

  • Cloudflare D1 + R2 (U.S. region) holds all financial data in the client portal — accounts, transactions, budgets, goals, debts, household membership, and coach connections. Cloudflare provides edge-level encryption in transit (TLS 1.3) and at rest, ISO 27001 + SOC 2 Type II compliance, and automated daily replication. Transaction history older than 24 months is archived to Cloudflare R2 object storage and accessible on demand for the same user.
  • Supabase Auth (U.S. region) handles authentication only — email-based sign-in, multi-factor authentication state, and session management. No financial data is stored in Supabase. Supabase Auth is SOC 2 Type II compliant and uses TLS 1.2+ in transit.

Application-level protections:

  • Every database query is scoped server-side to the authenticated user's household. If you are part of a shared household, your household members can see the same shared budget, transaction, and net worth data as you — this is intentional and is what makes household budgeting work. Users who have not joined a household are isolated to their own data only. A tampered request cannot cross household boundaries.
  • Sensitive values are encrypted at the application layer with AES-256-GCM before storage — including Plaid access tokens, coach-private session notes, and the last-four account masking digits.
  • Bank account numbers are never stored in full. Only the last four digits are retained, and they are encrypted at the application level.

Access to your financial data inside the portal is limited to:

  • You, when you are signed in.
  • Your connected coach, if any, with read-only access to your budget data only — never to coach-private session notes about you, and never to data of any other user's coach.
  • The platform administrator, for support and compliance purposes. Every administrator access is logged in an append-only audit log you can review from your settings.
  • Cloudflare and Supabase infrastructure personnel, subject to their own strict access controls and privacy commitments.

5. Plaid and Bank Connections

When you choose to connect a bank account to the client portal, we use Plaid Technologies, Inc. to facilitate that connection. Plaid is a trusted financial data network used by thousands of financial applications.

How it works:When you initiate a bank connection, a secure Plaid window opens in your browser. You log in to your bank directly through Plaid — your bank credentials are entered into Plaid's interface, never sent to or stored by Make It Compound. Plaid then provides us with a secure access token that allows us to retrieve account balances and transactions on your behalf.

What Plaid shares with us:

  • Account names and last-four digits of account numbers
  • Account balances (current and available)
  • Transaction history (merchant name, amount, date, category)
  • Account type and institution name

What Plaid does not share with us: Your full account numbers, routing numbers, Social Security number, or bank login credentials. We never see or store your bank username or password.

Your use of Plaid is also governed by the Plaid Privacy Policy. You can disconnect your bank accounts at any time from the Accounts page in the portal, which revokes our access token and stops further data retrieval. You can also manage app connections directly through Plaid's consumer portal.

Plaid access tokens are stored encrypted in our database. We use Plaid solely to retrieve your financial data for display in your coaching portal — we do not use it for credit decisions, marketing profiling, or any purpose other than powering your personal financial dashboard.

Your rights as an authorized third party under CFPB §1033 (Personal Financial Data Rights): When you connect a bank account via Plaid, you are authorizing Make It Compound as a third party to receive a limited set of your financial data from your bank. You may revoke that authorization at any time from the Accounts page in your portal or directly at my.plaid.com; revocation stops further data retrieval immediately and revokes the Plaid access token on our side. We collect only the data described above, use it only for the dashboard and coaching purposes described in Section 3, do not retain it longer than necessary, and do not re-sell or otherwise monetize it. To request deletion of bank-derived data we hold about you, use the self-serve account deletion in Settings → Data & privacy or email hello@makeitcompound.com.

6. Email Marketing

Our email newsletter is powered by ConvertKit(Kit). When you subscribe, your name and email address are stored in ConvertKit's system and governed by their privacy policy.

You can unsubscribe at any time by clicking the unsubscribe link at the bottom of any email we send. We will never send you emails you did not opt in to receive. Client portal users receive system notifications only (e.g., magic link sign-in emails) — they are not added to marketing lists without separate opt-in.

7. Third-Party Services

We use the following third-party services to operate Make It Compound. Each service collects and processes data according to its own privacy policy.

  • Cloudflare — Hosting, content delivery, edge compute (Workers), database (D1), object storage (R2), and privacy-friendly analytics. The application code and all financial data live on Cloudflare. Cloudflare Privacy Policy
  • Supabase — Authentication and session management only. No financial data. Supabase Privacy Policy
  • Plaid — Bank account connection and transaction data retrieval (client portal only). Plaid Privacy Policy
  • Stripe — Subscription billing for the Compound app and Compound for Coaches platform. Stripe receives your email, billing name, and payment details; it never receives your financial data from the portal. Stripe Privacy Policy
  • Resend — Transactional email delivery (sign-in links, billing receipts, coach invitations, data export notifications). Resend receives your email address and the message contents. Resend Privacy Policy
  • Google Analytics — Site analytics and traffic measurement (marketing site only — never inside the portal). Google Privacy Policy
  • ConvertKit (Kit) — Email marketing and list management. ConvertKit Privacy Policy
  • Calendly — Appointment booking for coaching calls. Calendly Privacy Policy
  • Teachable — Online course hosting and delivery. Teachable Privacy Policy
  • Sanity — Content management for blog posts and marketing content. Sanity receives only published marketing content, never personal or financial data. Sanity Privacy Policy

8. Data Retention

We retain your personal information for as long as necessary to provide our services or as required by law.

  • Active client portal data — Accounts, transactions, budgets, goals, and debts are retained for as long as your subscription is active. Transaction history older than 24 months is moved from our hot database to Cloudflare R2 object storage and remains accessible to you via the export feature.
  • Account deletion — When you initiate deletion from your settings, your account enters a 7-day grace period during which you can cancel and restore access. After the grace period, every owned record across our databases is permanently erased, all Plaid bank connections are revoked, and your authentication account is removed. No manual support request is required.
  • Audit logs — Authentication events, coach accesses, and administrative actions are retained for 90 days in our hot store and then archived to Cloudflare R2 for compliance recordkeeping. Email-delivery events (bounces and complaints) are kept for one year as deliverability evidence; all other email events for 90 days.
  • Email subscribers — We keep your email address and name until you unsubscribe or request deletion.
  • Analytics data— Retained according to Google Analytics and Cloudflare's default retention settings (typically 14 months for Google Analytics).
  • Booking records — Calendly retains appointment data per their own retention policy.

9. Your Rights and Data Deletion

Regardless of where you live, you can exercise the following rights with respect to the information we hold about you:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Request deletion of your personal data
  • Opt out of marketing communications at any time
  • Lodge a complaint with a data protection authority

To delete your account: Self-serve deletion is available from Settings → Data & privacy inside the portal. Initiating deletion starts a 7-day grace period (you can cancel from a banner in the app), after which your account, financial data, Plaid connections, and authentication record are all permanently erased automatically. No support ticket required.

To export your data first: The same settings page lets you request a JSON or CSV export of every record we hold for your account, delivered via a secure download link that expires in 7 days.

To make any other privacy request, email us at hello@makeitcompound.com. We will verify the request by matching the email address against the authenticated account on file and respond within 45 days (we may extend once by an additional 45 days where reasonably necessary, with notice). You may authorize an agent to act on your behalf; we will require the agent to provide signed written permission from you and may ask you to verify your identity directly.

9.1 California residents (CCPA / CPRA)

California residents have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know. The categories and specific pieces of personal information we have collected, the categories of sources, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it. These are disclosed in Sections 2, 3, 5, 7, and 8 above.
  • Right to delete personal information we have collected from you, subject to legal-retention exceptions.
  • Right to correct inaccurate personal information we maintain about you.
  • Right to opt out of sale or sharing.We do not sell personal information and do not share it for cross-context behavioral advertising as those terms are defined under California law. This right has no operative effect for us, but we honor it by policy. Our footer link titled “Do Not Sell or Share My Personal Information” reflects this commitment.
  • Right to limit use of sensitive personal information. We use sensitive personal information (including financial account information) only for the purposes described in Section 3 and as permitted by CPRA §7027(m). We do not use it to infer characteristics about you.
  • Right to non-discrimination. We will not deny services, charge different prices, or provide a different level of quality because you exercise a CCPA right.

Categories collected in the prior 12 months (as defined by Cal. Civ. Code §1798.140): identifiers (name, email, IP); commercial information (subscription transactions); internet/network activity; geolocation (approximate, from IP); financial information (bank-account metadata and transactions, via Plaid); inferences (budget categories derived from transactions). We have not sold or shared (as those terms are defined) any of these categories in the last 12 months and do not knowingly collect personal information from anyone under 16 for sale or share.

9.2 Other U.S. state privacy rights

Residents of states with comprehensive privacy laws — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, and others — have substantially similar rights to those described above: access, deletion, correction, portability, opt-out of targeted advertising and sale (n/a for us, as noted), and the right to appeal a denied request. To exercise any state privacy right, email hello@makeitcompound.comwith the subject line “Privacy Request — [state].” If we deny your request, you may appeal by replying within 60 days; we will respond to the appeal within 45 days and, if we deny it, will provide contact information for your state attorney general.

9.3 EU, UK, and Swiss residents (GDPR / UK GDPR)

If you are in the EU, UK, or Switzerland and we process your personal data, we do so on the following lawful bases (Art. 6 GDPR):

  • Contract (Art. 6(1)(b)). Processing necessary to deliver Compound or Compound for Coaches once you sign up — including authentication, syncing the financial data you connect, and providing coach-visibility where applicable.
  • Consent (Art. 6(1)(a)). Marketing emails, lead-magnet sign-ups, and the use of non-essential cookies. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Legitimate interests (Art. 6(1)(f)). Operating, securing, and improving the service; detecting fraud and abuse; managing customer support. We balance these interests against your rights and freedoms and you may object via hello@makeitcompound.com.
  • Legal obligation (Art. 6(1)(c)). Tax/accounting recordkeeping, responding to lawful requests from authorities, and retaining bounce/complaint records for sender-reputation purposes.

You also have the rights of access, rectification, erasure, restriction, portability, and objection under Articles 15–22, plus the right to lodge a complaint with a supervisory authority (in the UK, the Information Commissioner's Office). Cross-border transfers of personal data from the EU/UK to the United States rely on the EU–US Data Privacy Framework where applicable and on Standard Contractual Clauses with our sub-processors otherwise. We have not appointed an EU/UK representative under Art. 27 because our offering is not directed at EU/UK residents; if you believe an Art. 27 representative is required for our processing of your data, please contact us and we will assess and respond.

9.4 Financial data — GLBA & state financial-privacy laws

Some of the information we collect through the client portal is “nonpublic personal information” as that term is defined in the Gramm-Leach-Bliley Act (GLBA). Make It Compound is not itself a “financial institution” under GLBA; we are a coaching and software provider that receives this information at your direction via Plaid (Section 5). We do not disclosenonpublic personal information to any non-affiliated third party except (a) to service providers that process the data on our behalf under confidentiality obligations (listed in Section 7), (b) as necessary to provide a product or service you requested, (c) with your consent, or (d) as required by law. State financial privacy laws (including California Financial Information Privacy Act and, where applicable, New York DFS Cybersecurity Regulation 23 NYCRR Part 500 and Vermont's GLBA implementation) inform our practices for residents of those states.

10. Minors' Privacy

Make It Compound and the Compound app are intended for adults age 18 and over. We do not knowingly collect personal information from anyone under 13 (per the Children's Online Privacy Protection Act — “COPPA”) and do not knowingly create accounts for anyone under 18. If a parent or guardian believes a child has provided us with personal information, please contact hello@makeitcompound.com and we will delete the information promptly.

Family-share and teen-summary features.Some optional features (for example, a teen budget summary shared from a parent's account) may surface limited information about a minor in a child's household. These features are opt-in by the account holder, do not create an independent account for the minor, do not target advertising to the minor, and do not enable the minor to log in. To the extent California's Age-Appropriate Design Code Act (AADC) or similar state laws apply to data we receive about minors between 13 and 17, we apply heightened privacy defaults consistent with those laws and do not profile minors except as necessary to provide the requested feature.

11. Compound for Coaches (B2B platform)

Compound for Coaches lets subscribed financial coaches view their connected clients' budget data so they can provide informed coaching support. This section covers exactly what coaches can see, what they cannot, and how clients stay in control.

The connection is opt-in.A coach can only see a client's data after the client has either (a) entered the coach's code in their own settings, or (b) accepted an invitation email from that coach by creating their own Compound account through the invitation link. We never connect a client to a coach without an explicit action by the client.

What a connected coach can see.Read-only access to the client's budget, transactions, accounts, goals, and debts — the same data the client sees in their own dashboard. If the client is a member of a shared household, the coach sees the household's combined data (all household members' transactions and accounts), exactly as the client does. Other household members are not separately notified that their data is visible to the client's coach; if household members share financial data, they share coach-visibility of that data too. Each household member can independently disconnect from a coach by contacting us at hello@makeitcompound.com.

What a connected coach cannot do.Coaches cannot create, edit, or delete anything in a client's account. They cannot view another coach's clients. They cannot move money, change settings, or contact third parties on the client's behalf.

Session notes are coach-private.Coaches may keep private notes about each client (session date, topics discussed, follow-ups). These notes are encrypted at rest, are visible only to the coach who wrote them, and are never shown to the client. Clients cannot read, modify, or be informed of the contents of a coach's notes about them. We treat this as a strict privacy boundary in both code and policy.

Transparency log.Every time a coach views the client's data, the access is recorded in an append-only log that the client can review at any time from their settings. The log records the coach, the timestamp, and the type of access — no surprises.

Disconnection.A client can sever the connection at any time from their settings page. Disconnection is immediate and irreversible without a new invitation. The client's data stays with them; the coach loses all access on the next request.

Admin access. When the platform administrator (the single ADMIN_EMAILaccount) views a client's data for support or compliance purposes, the access is logged with an ADMIN_prefix in the same transparency log so the client can tell admin access apart from coach access. Admin cannot read coach-private session notes, even with full database access — that boundary is enforced both in the code and as policy.

What we share with the coach's payment processor.If a coach holds a paid Compound for Coaches subscription, we share their name, email, and subscription metadata with Stripe (our payment processor) for billing. We do not share any client data with Stripe. Stripe's own privacy policy applies to their handling of that data.

If the coach's subscription lapses.The coach loses access to the coach dashboard, but the connection record is preserved and the client's data is untouched. The coach can resubscribe at any time and regain access without re-inviting the client.

12. Security Incidents and Breach Notification

We maintain technical and organizational security measures designed to protect your personal and financial data. In the event of a security incident that we determine has resulted in, or is likely to result in, unauthorized access to your personal or financial data, we will:

  • Investigate promptly. Upon detecting or being notified of a potential incident, we will investigate to assess the nature, scope, and likely impact.
  • Notify affected users. If we confirm a breach that is reasonably likely to result in harm to you, we will notify you by email to the address on your account within 72 hours of confirming the breach (or as soon as feasible, if the scope of affected accounts takes longer to determine). The notice will describe: what happened, the types of information involved, steps we have taken or are taking, and what you can do to protect yourself.
  • Notify authorities where required. We will report confirmed breaches to applicable data protection authorities (including state attorneys general under U.S. state breach notification laws, and supervisory authorities under GDPR Art. 33 within 72 hours where applicable) as required by law.
  • Remediate. We will take reasonable steps to contain the incident, remediate vulnerabilities exploited, and prevent recurrence.

If you believe your account has been compromised, please notify us immediately at security@makeitcompound.com or hello@makeitcompound.com. We will investigate and respond promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we do, we will revise the “Last updated” date at the top of this page. For material changes affecting how we collect, use, or share your financial data, we will notify affected portal users by email at least 30 days before the change takes effect and, where required by applicable law, will obtain your affirmative consent before the new processing begins. Continued use after a non-material update constitutes acceptance; for material changes, your continued use after the notice period constitutes acceptance.

14. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or how we handle your data, please contact us:

Make It Compound
Email: hello@makeitcompound.com
Security disclosures: security@makeitcompound.com
Mailing address: 12527 Central Ave NE #256, Blaine, MN 55434
Website: makeitcompound.com

← Back to Make It Compound
TermsContactSign Up as a Coach